Designing a directory services infrastructure for your
Windows network can seem like an overwhelming task. If your business is small,
it may seem logical to go with the simplest design possible, but if there’s
anything more time consuming and complex than developing a brand new Active
Directory design, it’s trying to redesign an existing infrastructure that wasn’t
developed with growth in mind.
The good news is that a well-planned directory
infrastructure can easily grow as your business does, even accommodating
acquisitions and mergers, without ever having to tear it down and start over.
That’s why it’s important to take the time to learn best design practices and
build scalability into your directory infrastructure from the beginning.
Active Directory: Born to scale
The Active Directory is a hierarchical database that
contains all of the important information about users, and computer and other
network resources. Its structure allows you to locate, manage, and apply
security mechanisms and other policies to selected objects in a centralized
manner. Active Directory is based on the Lightweight Directory Access Protocol
(LDAP) and ISO/ITU X.500 standards, making it easier to interoperate with, and migrate information to and from, other LDAP-compliant
As your organization grows, you may need to develop your own
proprietary software applications. Using the Active Directory Services
Interface (ADSI) API, your programmers can create software that works with
Active Directory and other LDAP-compliant directories. You can also use the
Directory Services Markup Language (DSML) to create an environment where XML-based
applications can work with the Active Directory and use its information.
Active Directory structural components
If you’re creating your Active Directory infrastructure from
scratch, you have the opportunity to maximize scalability and flexibility.
There are two components involved in planning your directory structure:
The logical structure consists of objects (files, folders,
computers, users, printers, etc.) that are organized within containers (objects
in which you can place other objects, including organizational units, domains,
domain trees, and forests). The physical structure consists of sites, which are
groups of computers or IP subnets that are connected via a high speed link.
Sites contain computers.
The logical and physical structures don’t necessarily
correspond. One domain can span multiple sites and one site can contain more
than one domain. It’s important to note that you can apply group policy objects
based on either logical or physical structure. That is, you can apply a policy
to a logical unit such as a domain or organizational unite (OU), or to a
physical unit (a site).
Designing for scalability
An important consideration in designing a scalable directory
structure is the namespace. Every directory object has a unique name, and
Active Directory uses standard naming conventions to describe and locate
objects within the directory. Active Directory uses the Domain Name System
(DNS) to resolve names. This is the same system used on the Internet to resolve
computer names to IP addresses. DNS names are hierarchical, like the directory
In planning a namespace, you should consider how your
company is structured, and also how it is likely to be structured in the future
as it grows. A small company may very well start with a single domain, but as
the organization grows, you may find it useful to divide the network into
multiple domains because a domain forms a security and administrative barrier.
The first domain is often named for the company. For
example, if your company is named Acme Inc., your first domain might be
Acme.com. You might then create “child” domains under it based on
departmental divisions or geographic locations. The name of the child domain is
prefaced to the name of the parent domain, so you end up with child domains
called Finance.Acme.com and Sales.Acme.com representing different departments
(or perhaps Altanta.Acme.com and Dallas.Acme.com representing branch offices).
The important part is to create a namespace that logically
divides the network and makes each part easily identifiable. The first domain
you create becomes the “root” of the domain tree (which consists of
all the domains with a common namespace).
Growing the directory structure
You can easily add and delete domains if the structure of
your organization undergoes changes. If your company merges with another, you
can create a separate domain tree by creating a new root domain with a
different namespace (for example, Zeta.com). These two domain trees can be part
of the same Active Directory forest, which means there will be a trust relationship
between the root domains of each tree. Because Active Directory trusts are
transitive, users in one domain tree will be able to access resources in the
other tree (as long as their user accounts have been assigned the appropriate
permissions to do so).
It is also possible, as your organization grows even larger,
to create a multiple-forest environment. This would be necessary if you have
separate autonomous divisions that don’t want to share the same schema (which
defines directory objects and attributes) and the same Global Catalog (which
contains a searchable representation of all objects in the directory).
Active Directory domains can scale to hold millions of
objects. Of course, a domain with a large number of objects can become
unwieldy, but you can further divide and organize groups of objects within a
domain by creating OUs. You can even nest OUs inside other OUs, and you can
apply policies and delegate administrative responsibilities at the OU level for
very granular control. Policies and user rights are inherited by nested OUs from the OUs in which they
An important part of Active Directory’s scalability lies in
the ability to replicate directory information between domain controllers at
different sites across wide area networking links. This keeps the directory
information up to date across the entire network and makes it available to all
users, no matter where they are physically located.
Thus, if planned properly, your Active Directory structure
should be able to grow with you as your company expands from a small business
to a multi-site enterprise. For more detailed information about planning and
deploying Active Directory, see Microsoft’s
Active Directory Collection on the TechNet web site.